From Secunia (http://secunia.com/advisories/36549/): A vulnerability has been discovered in the Apache mod_proxy_ftp module, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in mod_proxy_ftp when processing responses received from FTP servers. This can be exploited to trigger a NULL-pointer dereference and crash an Apache child process via a malformed EPSV response. Successful exploitation requires that a threaded Multi-Processing Module is used and that the mod_proxy_ftp module is enabled. The vulnerability is confirmed in Apache versions 2.0.63 and 2.2.13. Other versions may also be affected.
The Secunia advisory indicates that there is no patch yet.
CVE-2009-3094 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3094): The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command.
CVE-2009-3095 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3095): The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.
2.2.14 is out with fix: http://www.apache.org/dist/httpd/CHANGES_2.2.14
2.2.14 in cvs
2.2.14-r1 is already stable.
proxy_ftp is not enabled by default, if I see it correctly, thus I re-rate C3, and voting is needed. Vote: NO.
NO too, closing.